LastPass, already upset by a breach that put partially encrypted login data in the hands of a threat actor, said Monday that the same attacker hacked into an employee’s home computer and obtained a decrypted vault available only to a handful of developers from the company.
Although an initial breach into LastPass was terminated on August 12, officials at the leading password manager saying the threat actor “actively participated in a new series of reconnaissance, enumeration, and exfiltration activities” from August 12-26. In the process, the unknown threat actor was able to steal valid credentials from a senior DevOps engineer and gain access to the contents. from a LastPass data vault. Among other things, the vault gave access to a shared cloud storage environment that contained the encryption keys for the customer’s vault backups stored on Amazon S3 Buckets.
Another bomb falls
“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” the bloggers wrote. LastPass officials. “The threat actor was able to capture the employee’s master password as entered, after the employee authenticated with MFA, and gained access to the DevOps engineer’s corporate LastPass vault.”
The hacked DevOps engineer was one of four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access production AWS S3 LastPass backups, other cloud-based storage resources, and some backup copies of related critical databases”.
Monday’s update comes two months after LastPass issued an earlier bombshell update that, for the first time, said that contrary to previous claims, attackers had obtained data from the client’s vault containing encrypted and cleartext data. Format. LastPass then said that the threat actor had also obtained a cloud storage access key and decryption keys from the dual storage container, allowing backup data from the client’s vault to be copied from the storage container. encryption.
The backup data contained unencrypted data, such as website URLs, as well as website usernames and passwords, secure notes, and form-filled data, which had an additional layer of AES 256-bit encryption. The new details explain how the threat actor obtained the S3 encryption keys.
Monday’s update said that the tactics, techniques and procedures used in the first incident were different from those used in the second, and that as a result, it was not initially clear to investigators that the two were directly related. During the second incident, the threat actor used the information obtained during the first to enumerate and filter the data stored in the S3 buckets.
“Alerts and logging were enabled during these events, but did not immediately indicate anomalous behavior that became clearer in hindsight during the investigation,” LastPass officials wrote. “Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud storage environment, which initially made it difficult for researchers to differentiate between threat actor activity and legitimate activity. in progress”.
LastPass learned of the second incident from Amazon warnings about anomalous behavior when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activities.
According to a person briefed on a private LastPass report and speaking on condition of anonymity, the media software package that was exploited on the employee’s home computer was Plex. Interestingly, Plex reported its own network intrusion on August 24, just 12 days after the second incident began. The breach allowed the threat actor to access a proprietary database and obtain password, username, and email information belonging to some of its 30 million customers. Plex is a major streaming media service provider that allows users to stream movies and audio, play games, and access their own content hosted on home or local media servers.
It is unclear if the Plex breach has any connection to the LastPass intrusions. Representatives for LastPass and Plex did not respond to emails seeking comment for this story.
The threat actor behind the LastPass breach has proven to be especially resourceful, and the revelation that he successfully exploited a software vulnerability on an employee’s home computer further reinforces that view. As Ars advised in December, all LastPass users should change their master passwords and all passwords stored in their vaults. While it is not clear if the threat actor has access to any of them, precautions are warranted.